feat: Enable CEX based LUKS encryption #423
Conversation
madhu-pillai
changed the title
madhu-pillai
changed the title
madhu-pillai
force-pushed
the
enable-cex
branch
2 times, most recently
from
1b5275d to
d323e4c
Compare
| @@ -0,0 +1,16 @@ | |||
| variant: openshift | |||
| version: 4.19.0 | |||
There was a problem hiding this comment.
Version need not be hardcoded here
There was a problem hiding this comment.
The version must be hardcoded since cex feature is only available from 4.19.0 and above. If user alter the version and it is very difficult to troubleshoot what causing the luks encryption fails.
There was a problem hiding this comment.
@madhu-pillai Shall we mention this version dependency also in the documentation.
docs/set-variables-group-vars.md
Outdated
|
|
||
| ## Crypto Express Card based LUKS encryption specific for zKVM ( Optional ) | ||
| **Variable Name** | **Description** | **Example** | ||
| **cex_uuid_map** | Specify guest hostname: "UUID:domain" UUID can be generated from uuidgen command and domain can be retrieved from lszcrypt | upi-cex-control-1: "68cd2d83-3eef-4e45-b22c-534f90b16cb9:00.0035" |
There was a problem hiding this comment.
User can benefit from appropriate referral doc link here for lszcrypt, uuidgen etc
There was a problem hiding this comment.
lszcrypt and uuidgen are native linux command for s390x. It does not require documentation.
| @@ -0,0 +1,16 @@ | |||
| variant: openshift | |||
| version: 4.19.0 | |||
There was a problem hiding this comment.
Same as above need not be hardcoded version
There was a problem hiding this comment.
Delete all the butane files.
| spec: | ||
| config: | ||
| ignition: | ||
| version: 3.5.0 |
There was a problem hiding this comment.
Version need. not be harcoded, change for all instances
There was a problem hiding this comment.
Deleted all the ignition file.
| --noautoconsole | ||
| --noautoconsole \ | ||
| {% set vm_name = env.cluster.nodes.compute.vm_name[i] %} | ||
| {% set hostdev = '--hostdev ' + cex_hostdev_map[vm_name] if cex_device is defined and cex_hostdev_map is defined and vm_name in cex_hostdev_map else '' %} |
There was a problem hiding this comment.
for consistency and cleaner code create cex_hostdev in vars section as defined in the role "create_control_node"
madhu-pillai
force-pushed
the
enable-cex
branch
from
d323e4c to
9277127
Compare
1. Configure the CEX in KVM host
2. Use the right device type ignition for MCO
3. Attach the CEX mediated device to guest vm
Signed-off-by: Madhu Pillai <madhupillai80@gmail.com>
madhu-pillai
force-pushed
the
enable-cex
branch
from
9277127 to
5fc3f5c
Compare
|
@sandisamp |
| device: /dev/disk/by-partlabel/root | ||
| fcp: | ||
| layout: s390x-fcp # or s390x-fcp if needed | ||
| device: /dev/disk/by-label/root |
There was a problem hiding this comment.
@madhu-pillai
Can you please update the documentation with these variables also, as user might need to override these variables if needed.
3 participants
This PR is for IBM Crypto Express Card based LUKS encryption for KVM.
2. Use the right device type ignition for MCO
3. Attach the CEX mediated device to guest vm